Is cyber insurance too hard for some?

by 18 Nov 2015

Shreya Kalra
A rash of high profile attacks over the last year has proved that cyber security breaches are not just a problem for the future – they’re not even today’s rare occurrence. JP Morgan, Target, Ashley Madison and Home Depot were among the diverse list of corporations to have suffered through a security breach in the last year.
This clear threat to businesses and customers has led to more and more companies scrambling to get cyber insurance to protect themselves against a potential attack. Loss of data to cyber attackers would be any company’s worst nightmare – not only does it cause steep financial losses, but it also does untold damage to a brand's reputation.
According to a recent study by PwC, the cyber security insurance market is all set to triple to about US$7.5 billion in the next five years as an increasing number of companies realize the need for cyber insurance.
The flood of hacks is both good and bad news for insurers. It means they have to pay out more in claims, but it also works as great advertising about insuring against such threats.
There are concerns however, that many insurers are operating blindly in this nascent market, lacking the necessary skills to assess cyber risks and develop appropriate products.
A report in CIO magazine said the cyber-insurance market is filled with inconsistencies and loopholes and suffers from a shortage of qualified staff who can properly assess cyber security profiles.
Shawn Wiora, the CIO and CISO of Creative Solutions in Healthcare, a nursing care facility provider: “The application process is less than what you would think it would be, in terms of the due diligence. I like to work with strong partners and, at this point, I’m not sure that a lot of the insurers know what they’re doing.”
Wiora’s cyber-insurance shopping experience was packed with frustration, full of vague questionnaires designed to determine whether a company uses encryption, as well as how their firewalls and password authentications are set up.
According to Wiora, insurers in this market aren’t yet fully ready to handle the needs of the market. They have little knowledge, he says, of cyber-security terminology, let alone risks.
His concern is picking an insurance provider with lax practices and suffering a breach, then getting mired in litigation as the parties debate coverage particulars.
But prospective clients aren’t the only ones worried about whether insurers will cover all the risks. Insurers are also wary of the hard-to-predict risks they are taking on.
"We have turned clients away," Tracie Grella, the global head of professional liability at insurance giant American International Group (AIG), told Reuters.
AIG offers cyber policies that cover up to US$75 million for a cyberattack, but only for companies like top global banks that are the most adept at securing networks and mitigating cyber risk.
Clearly there is huge opportunity for insurers, but the market needs to develop. Not only so that clients can feel confident in their selection of insurer, but also to ensure carriers perform adequate due diligence and protect themselves from unnecessary risks.